When British Airways hit the headlines for all the wrong reasons this week, thanks to news of an impending £183 million fine for last year’s massive data breach, it showed in several ways why it’s more important than ever to take good care of your data.

1. Copyright 2020, Cognition24
www.cognition24.com
What SMEs can learn from the BA data breach
When British Airways hit the headlines for all the wrong reasons this week, thanks to news of
an impending £183 million fine for last year’s massive data breach, it showed in several ways
why it’s more important than ever to take good care of your data.
Firstly, of course, the Information Commissioner’s Office (ICO) demonstrated that it’s serious
about applying GDPR and willing to levy record penalties where organisations have clearly
been complacent about managing third-party data and handling breaches.
And, if you run a smaller business, don’t think this can’t affect you. As Kim Bradford, Managing
Consultant at Sphere Data Protection, points out, “GDPR applies to any business that
processes people’s personal data, so SMEs are subject to exactly the same rules and penalties
as larger enterprises.” That can mean fines of up to 4% of your annual turnover if you are
found to be fundamentally in breach of data protection law.

2. Copyright 2020, Cognition24
www.cognition24.com
But secondly – and probably more importantly – is the threat of reputational damage when
anyone whose data you hold finds out you haven’t been protecting it adequately. And that
can amount to a lot of people, such as past, present and potential customers, as well as
suppliers, partners and more. “The negative impact on businesses, when they’re all of sudden
shown to not be very careful with people’s personal data, can be massive,” says Kim. “That’s
something you really should sit up and pay attention to. Consumers will vote with their feet –
particularly if, like BA did at first, you act defensively and try to downplay the seriousness of
what happened.”
She likens it to a bank having its physical security breached. “If you purchased a box in the
vault of a bank and you put a priceless diamond necklace in there, but the bank was broken
into and the necklace was stolen, you’d ask how the thieves got in. If you found out there was
nobody on guard that day, or if the bank had left the doors open, you’d be horrified, as you’d
have assumed you could trust the bank to keep your possessions safe. And it’s no different
with people’s personal data.”
This is why it’s vital to ensure you’re managing – and protecting – your customer data
according to current best practice, says Tim Chisnall, Cognition24’s Business Director. And
underpinning this, it really helps to have the right technology solutions in place, alongside the
right company procedures. “We’re seeing an increasing demand for solutions that can record
your compliance landscape and any incidents that may breach GDPR rules, to prove to the
ICO that you are fully compliant,” he says.
Managing a breach
What can you do if the worst does happen and you find there’s been a breach of your
customers’ data? Kim’s advises the following:
• If it’s a serious breach – that is, it’s likely to impact negatively on the rights and
freedoms of the individuals whose data has been breached – then you must alert the
ICO within 72 hours (even if it’s a weekend or public holiday).

3. Copyright 2020, Cognition24
www.cognition24.com
• If you’re not sure how serious the breach is, it’s probably best to alert the ICO anyway
to be on the safe side. You can do this by calling, emailing, filling out an online form or
using their webchat, and the people working there are usually helpful.
• Show genuine empathy for the people whose data has been compromised and do
everything you can to smooth things over with them. This could include: being fully
transparent about what happened; issuing regular updates; and publishing sensible
advice such as changing passwords, alerting your bank, going to Action Fraud and so
on.
This latter point, says Kim, is something that most businesses fundamentally fail to do in the
panic of discovering a data breach. “They forget to put themselves in the data subjects’ shoes,
and this only ends up making things worse for them from a reputational perspective,” she
says. “It’s about following the basic principles of good customer service. You should take every
opportunity to live and breathe your brand and inject it into every single touchpoint that you
have with the public – and this should particularly be the case when things go wrong.”
Want to be sure you’re doing the right thing?
If you’re feeling uncertain about whether the data you hold is adequately protected, or what
to do if it’s not, it’s important to seek good advice. Get in touch with Tim and he’d be happy
to discuss the steps you can take to avoid ending up in the same situation as BA.